The Nigeria Data Protection Commission has announced plans to begin imposing heavy fines on businesses that handle Nigerians’ data—known as data controllers and data processors—starting in 2025.
The Commission’s National Commissioner, Dr. Vincent Olatunji, revealed this move in his outlook for the year, highlighting a significant shift in the enforcement of the Nigeria Data Protection Act.
Dr. Olatunji emphasized that, until now, the NDPC had not issued any fines but confirmed that this would change in the coming year. “For data controllers and processors, there is going to be massive enforcement in 2025. We have never issued any fines, but going forward, you will hear us issuing heavy penalties,” he stated.
The new enforcement approach marks the beginning of a robust push by the Commission to uphold data protection laws and ensure businesses handle Nigerians’ personal information responsibly. The NDPC is determined to hold organizations accountable for any violations under the NDPA.
In addition to enforcement, the NDPC plans to drive job creation by launching trained data protection professionals into the job market. Dr. Olatunji highlighted that the second phase of the NDPC’s 2023-2027 roadmap, which focuses on job creation and capacity building, will be a major focus for 2025.
“Nigerians will begin to see the impact of the experts and professionals we trained last year. We are developing a pool of globally competitive human capital in the data protection ecosystem,” Dr. Olatunji explained. He noted that the demand for trained data protection professionals has grown, with many data controllers and processors looking for qualified individuals to help safeguard personal information.
The NDPC intends to continue its awareness campaign across Nigeria, ensuring that citizens understand their data privacy rights and the importance of data protection. This outreach aims to bridge the gap between the growing demand for data protection expertise and the supply of trained professionals.
As part of its efforts to streamline data protection in Nigeria, the NDPC will enforce the registration of all data controllers and processors in the country. Dr. Olatunji previously outlined a timeline for the mandatory registration of over 500,000 organizations, including banks, telecom operators, insurance companies, schools, and other entities that process personal data.
“All data controllers and processors are required to register with the data protection authority. The law stipulates that they must acquaint themselves with the provisions of the law within six months,” he said. To ensure this is achieved, the NDPC will conduct further awareness campaigns across the country, with a special focus on Abuja in the coming months.
The registration deadline for data controllers is set for December 31, 2025. Following registration, organizations will be required to submit annual audit reports between January 1 and March 31 of each year, detailing the measures they have implemented to safeguard personal data.
The push for stronger data protection comes in the wake of President Bola Tinubu’s signing of the Data Protection Bill into law on June 12, 2023. This law transformed the National Data Protection Bureau into the Data Protection Commission, empowering it with the authority to enforce regulations and oversee the implementation of the NDPA.
Data protection has become a global priority in recent years, with numerous data protection agencies—particularly in the European Union—imposing heavy fines on multinational companies for violating data privacy laws. Social media giants such as Meta, LinkedIn, and TikTok have faced significant sanctions in 2024 for breaching data protection regulations, highlighting the increasing importance of safeguarding user data worldwide.